Lessons from compliance and the intersection of enterprise risk management and internal audit

At the Society of Corporate Compliance and Ethics’ (SCCE) annual Higher Education Compliance Conference in June 2021, a diverse set of college and university compliance professionals shared their perspectives on a variety of compliance topics. Baker Tilly facilitated a panel discussion with compliance leaders from two private universities to share their perspectives and lessons learned on compliance and the intersection with enterprise risk management (ERM) and internal audit.

The discussion panel focused on three primary objectives:

• Understanding key interdependencies between compliance, ERM and internal audit
• Exploring how collaboration leads to an enhanced culture of compliance and ethical behavior
• Sharing experiences and lessons learned from leveraging relationships between compliance and other institutional partners

The panel focused on three overall themes:

Theme 1: How do the elements of an effective compliance program align with or differ from ERM?

Institutions often leverage the framework set forth in the Federal Sentencing Guidelines to develop a customized compliance program that can support both ethics and compliance. Effective compliance programs typically include the following elements:

• Preventing and detecting criminal conduct
• Having leadership oversight of the compliance program
• Rejecting individuals with a history of misconduct from leadership positions
• Providing effective training on compliance programs
• Monitoring the mechanism(s) used for reporting
• Using positive reinforcement/punishment for misconduct
• Initiating investigations in a timely manner
• Implementing periodic modifications to the compliance program

While compliance programs are often driven by external regulation, ERM is geared towards helping institutions identify and mitigate risks that may impede attaining strategic goals and objectives. Additionally, ERM is rooted in creating a risk-aware culture that takes a consistent approach to risk management, often through enhanced and informed decision-making with a goal of achieving efficiency and optimization.

Compliance and ERM both utilize a similar method in identifying, assessing and managing enterprise and compliance risks. However, success for both sets of stakeholders requires leadership buy-in and sponsorship, process governance, careful integrated planning, accountability and clear communication strategies.

Examples of typical compliance and combined ERM structures include:

• A combined office integrating internal audit, ERM and compliance
• A hybrid office that has oversight of an ERM program and the compliance function
• Stand-alone offices that separate the distinct compliance and ERM functions

Theme 2: What opportunities exist for enhanced collaboration between an institution’s compliance function and ERM?

There are tremendous benefits for institutions that connect their compliance and ERM frameworks. The compliance and ERM partnerships, along with ongoing collaboration, are critical to moving compliance forward alongside the insights ERM provides.

Stakeholders should develop an approach that not only enables a proactive evaluation of the compliance and ethics-related risks their institution faces today, but also considers whether there are other emerging or trending risks that could have an impact in the future.

The discussion panelists highlighted some examples or areas that they believe have potential for enhanced collaboration:

• Conducting or leveraging shared enterprise risk assessments may help align the mitigation strategies and future work plans
• Enhancing or providing new and innovative methods for information-sharing to identify and address emerging risks in a timely manner
• Identifying new risks or potential changes in the risk landscape that could have an impact across the institution
• Integrating or enhancing how information is shared with and communicated to the board, management or other key stakeholders
• Conducting integrated audits, reviews or assessments with the subject matter specialist(s) to appropriately evaluate new and emerging risk areas

Further, it is important to remember that enterprise risk can be viewed either from a holistic perspective or divided into its strategic and operational components. This can help to effectively identify and mitigate large-scale risks while still accounting for a cross-functional and operational view of risk and helping to differentiate priorities for an institution.

Theme 3: What lessons or tips can be shared to help peers better leverage the relationships between compliance and other institutional partners?

COVID-19 created a variety of challenges over the past 12-18 months. However, many valuable lessons emerged from the complexities caused by the pandemic, such as:

• Compliance programs can connect stakeholders together quickly and efficiently because of relationships formed across the institution
• Monitoring the emerging risk landscape and regularly engaging institutional leaders can generate an effective risk management program that considers short-, medium-, and long-term risks
• There continues to be new and emerging channels and methods of communication that must be considered. What used to be a challenge in a decentralized environment has now opened up a new way of communicating by using technologies, such as Zoom and Microsoft Teams, while continuing to find opportunities for in-person communication
• The pandemic provided a unique opportunity to evaluate an institution’s risk management program. Institutions had a first-hand perspective on their successes and lessons learned while navigating risk management through the “live” pandemic environment

With further development of compliance and ERM programs, institutions have a growing opportunity to enhance the level of collaboration, information sharing and communication on key compliance and ethics risks that their institutions face or will be likely to face in the future.

For more information, or to learn how Baker Tilly’s higher education compliance specialists can help your institution, contact our team.